Network scanner
Its a tool which can tell which machines are ‘active’ on a specific network range or subnet. Also, it can determine the running services on various devices, depending the scanning goal. In most cases, we will scan the network to get a better understanding of the network mapping and we will scan a device to find a vulnerable service.
How a scan works?
To determine whether there is a service behind some device, one should try to connect to it. The best way is simply connect to this specific IP:PORT and by the reply understand that. See below scan the popular techniques.
Scan Techniques
- TCP SYN – aka ‘half-open’:
We send a SYN and upon the reply determine the service status. If the reply is RST, the port is closed. If its SYN/ACK – it means the port is open. It’s called ‘half-open’ since the we do not send an additional ACK following the victim’s reply. This type of scan usually requires a higher access level to the OS. - TCP Connect – uses the regular socket interface to connect to the remote service and similarly to TCP SYN Scan replies – determine whether the service is open or not. This scan does not require special OS privileges.
- UDP Scan – to scan UDP-port services. Usually we send a service-specific UDP packet. If the reply is ICMP port unreachable – the port is probably ‘closed’.
- Other types: ACK/Window – we will not elaborate now.
- NULL/FIN/XMAS Scans – its about lighting (or not) certain TCP FLAGS in the sent packet. If the response is RST it means the the port is closed.
Note that in some where there are firewalls in between the scanner and the victim, the results might be changed.
Nmap
Probably the most famous network scanner. It’s a very simple tool which is commonly used by the security researchers and pen-testers. See below a short guide.
Nmap short guide
Simple usage for a host/s scan
nmap -sT -p <ports> <targets>
- -sT for a TCP Connect scan, we can switch to -sS if we want SYN scan or -sU for UDP scan.
- -p <ports> to specify relevant ports (UDP, TCP, etc)
Define specific port numbers
Nmap has an internal list of common ports sorted by popularity. It’s useful when trying to map the common servers in the network:
--top-ports <number>
Choose your own port numbers to scan, you can provide a list of UDP and/or TCP ports.
-p T:21-25, U:53
Timing
In some cases we want to avoid detection by network security controls such as IDS (Intrusion detection system). IDS may trigger alert when there is a device that opens relatively high amount of connections in a pre-defined timeframe. Nmap lets you adjust the delays in a way you can set the rate of packets per second and even more.
--scan-delay <time> # time in 'ms' (milliseconds), 's' (seconds), 'm' (minutes) or 'h' (hours)
Service Detection
Assuming we found a servers with an open port and now, we want to know what is the exact service behind it. Nmap has the ability to trigger common services on application layer and upon that to detect the exact service behind it:
-Sv --version-intensity <level> # from 0 to 9
Use cases
Find all active web-servers in your local network via ‘Class C’ scan:
nmap -sT -p T:80,443 192.168.0.1/24
References:
Kethy Hacks 